When MasterCard introduced last year in twelve
countries a feature identifying the payor via fingerprint
scanner or selfie,
it took one further step toward abandoning the immensely flawed concept of
chosen passwords and PINs. Considering the deplorable state of imaginative
solutions – the globally dominant password being 123456 and the most-used PIN
being 1234 – the move seemed long overdue. Another contribution to security
breakdowns is the mushrooming number of “different” password requirements no
one can seriously be expected to remember, particularly in combination with a
multitude of user names and ever-simplified “forgot password” functions.
HSBC has additionally enabled identification via voice recognition software
that verifies some 100 unique speech characteristics such as speed, vocal
traction, nasal tones and enough others that are said to work even when the
user suffers from a cold. Wells
Fargo and also a range of other banks enabled
log-in via retina scan. Canadian
start-up Nymi authenticates individuals through their pulse taken by a wearable prototype interacting with near field
communication terminals.
While banks and fintechs may be right in concluding that this increases safety beyond passwords, there is no question that biometrics will inaugurate just another round in the perpetual arms race between security and illegitimate access.
Its limitations are increasingly obvious.
At the 2014 Chaos Communication Congress, hacker
Starbug a.k.a. Jan Krissler showed how a picture taken with a single lens
reflex camera of German
minister of defense Ursula von der Leyen from a distance of three meters
sufficed to reproduce her thumb print with Verifinger, a graphics
software tool.
Research at Michigan
State University developed a simple method to print pictures of
fingerprints on a pedestrian printer with a resolution sufficient to fool
fingerprint readers, unlocking
smartphones and completing transactions via Apple Pay.
The ACLU
has showed that selfie
scans heavily depend on lighting conditions and may be influenced by
changes in hairdo, ageing or weight changes.
Background noises and recording issues may
interfere with identification by voice recognition.
When hackers accessed 40,000 accounts at British Tesco
Bank and withdrew funds from 9,000 accounts, the monetary loss of £2.5 million was
the least of it and highlighted the consequences of compromised biometric
databases: while one may change passwords with a minimum of fuss, not quite the
same can be said for getting a new
fingerprint or face – here, the method of
identification is compromised, potentially permanently. Turns out that biometrics
may be worse than
passwords - and hackers are still notoriously at least one step ahead of the game.